Intro
In short, Threat Intelligence (aka Threat Intel) is the process of analysing data and information, with the use of techniques and tools with the goal to generate meaningful insight and patterns as to how you would mitigate potential risk that are associated with existing or emerging threats that are targeting orgs, industries, governments, etc.
We are generally interested in who is attacking us, why, and what are their capabilities. Also, we care about what IOCs and artefacts we should look for, when investigating our environment (for a particular group/threat actor).
Since Threat Intel tries to understand the connection between your operational environment and the threat actor, it usually gets broken down into the following:
- Strategic Intel
- Technical Intel
- Tactical Intel
- Operational Intel
Strategic Intel – Here, you look at your org’s threat landscape, mapping the risk areas based on trends, patterns and emerging threats that might be able to impact your business’ decisions.
Technical Intel – IR teams use this intel to create an attack surface to analyse and create defence mechanisms. Usually done by looking at the IOCs and artefacts that are tied to the threat actor.
Tactical Intel – Assessment of the TTPs used by the threat actor.
Operational Intel – Investigates the threat actors’ intent and motives for the attack. This intel may be used to understand what some of the critical assets are the org has that can be targeted. (people, technologies, etc.)
This project started as one man’s initiative but is today a community driven threat intel platform for cyber threats. In their own words:
abuse.ch‘s main goal is to identify and track cyber threats, with a strong focus on malware and botnets. We not only publish actionable threat intelligence data on cyber threats but also develop and operate platforms for IT security researchers and experts enabling them sharing relevant threat intel data with the community.
Their platforms are:
Malware Bazaar – For sharing malware samples with the community and threat intel providers
Feodo Tracker – Tracking botnet C&C infrastructure associated with Emotet, Dridex and Trickbot
SSL Blacklist – Resource for collecting and providing blocklist for malicious SSL certificates and JA3/JA3s fingerprints
URL Haus – For sharing malware distribution sites with the community and threat intel providers
Threat Fox – Resource for sharing IOCs (Indicators of Compromise) with the community and threat intel providers
Yaraify – Resource for hunting suspicious files with YARA. Also, for sharing your YARA rules with the community
Malware Bazaar
This platform acts as a malware collection and analysis database.
You can upload malware samples through browser/API, consequently adding to the intelligence database. This threat intel can also be integrated into your SIEM.
You can also hunt for malware setting, by making alerts that would match different signatures, YARA rules or vendor detection.
Feodo Tracker
This platform looks to share intel on botnet C2 (command & control – C&C) servers that are associated with Dridex, Emotet (Heodo), TrickBot, etc.
This is done by giving the C&C servers db’s to the security analysts that can then investigate any IP address they deem suspicious or have seen already. There’s also information on IP and IOC blocklists, and mitigations used to avoid infections by botnets.
SSL Blacklist
This tool identifies and detects malicious SSL connections, further blacklisting the SSL certificates used by botnet C&C servers. It also identifies JA3 fingerprints which can help you detect and block botnet C&C comms within the TCP layer.
You can sift through the SSL certs and JA3 fingerprints, but you can also download them and add them to your deny list/threat hunting ruleset.
URL House
As an analyst, this is an awesome tool for you to perform some validation for your investigation. You can look through the database for URLs, hashes, domains and other malicious filetypes. You can also contribute with your own malware URLs in order to help others protect their networks.
URL House can also give you information on AS numbers, TLDs and associated countries.
ThreatFox
The ThreatFox platform is made with the idea of sharing and exporting IOCs that are associated with malware. You can export the threat intel from ThreatFox in many formats (JSON, CSV, MISP events, Suricata IDS ruleset, Domain Host files, etc.)
Recap
Threat intelligence (aka TI or Cyber Threat Intelligence) is what you would use to supply information regarding threat landscape – TTPs, threat actor groups, etc.
To be considered threat intel (TI) the data must become actionable, and to become actionable, you would want to analyze it first. Thus, the data needs some context in order to qualify for becoming a viable piece of threat intel.
The threat intelligence usually changes quickly, as the threat actors change their TTPs often.
Companies and vendors can share their threat intel within ISACs – Information Sharing and Analysis Centers.
Another breakdown of the TI process can be like this:
- Strategic – Helping management make informed decisions when it comes to security and strategy.
- Operational – Interacting with IOCs and learning more about how threat actors do their work
- Tactical – Interacting with the TTPs and attack models to learn more about the specific threat actor group and its patterns of attack
I also suggest checking out these two great resources to learn more about APTs and their techniques (TTPs):
- https://docs.google.com/spreadsheets/u/1/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/pubhtml
- https://www.mandiant.com/resources/insights/apt-groups
(I will add a few more links at the end of this article)
Conclusion
Okay! So, I looked into the TI process for a bit. This is a big landscape, with a lot of events that are constantly happening. To stay current, you would need to find good resources to follow, as well as create an adequate process at your company on how to handle it, why, and in what ways/cases.
The most interesting part (at least for me) is the fact that when you investigate this behaviour (let’s say you’re using the aforementioned Feodo Tracker to investigate C2 botnet servers) you’re actually learning about what the adversary does and this is the most precious thing to have. You’re learning realistic things, that are happening all the time around the globe, all the while trying to prevent your organization from getting compromised.
You’re not only being proactive, but you’re also learning about what is really used in some of those breaches you can usually read about. This is invaluable, as it can give you the edge against adversaries, when it comes to securing your environment against them.
Stay safe out there, and gather some TI!
Additional Resources
- https://www.nationalisacs.org/member-isacs-3
- https://www.circl.lu/doc/misp/
- https://github.com/MISP/
- https://threatconnect.com/
- https://otx.alienvault.com/
- https://www.ecb.europa.eu/pub/pdf/other/ecb.tiber_eu_framework.en.pdf
- https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/pf/ms/sb-tiber-eu.pdf
- https://www.enisa.europa.eu/topics/national-cyber-security-strategies/information-sharing
Cover image by Alexandre Debieve
#threat_intel #abuse.ch #ioc